PCI Requirement 10 - Big Brother is Watching!

This is the tenth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To view the previous posts in this series, click on the appropriate links below:  

PCI Requirement 1 - Defending the Wall

PCI Requirement 2 - Change Your Defaults!

PCI Requirement 3 - Don't Store Cardholder Data!

PCI Requirement 4 - Hide in Plain Sight!

PCI Requirement 5 - Update and Scan

PCI Requirement 6 - Patches and Scanning and Coding, Oh My!!

PCI Requirement 7 - Thou Shall Not Pass!

PCI Requirement 8 - Identify, Authenticate, and Authorize

PCI Requirement 9 - Lock the Doors and Don't Forget the Windows Too!

PCI Requirement 10 - Track and Monitor All Access to Network Resources and Cardholder Data

Requirement 10 gives the requirement necessary to have “eyes” on your CDE and any cardholder data that hits your environment. This enhanced visibility comes from centralized collection of audit trails, system/application/audit logs and the monitoring of system level and hardware level components. Some other reasons behind requirement 10 is to keep eyes on administrative access to the CDE. This level of access may have the “keys to the kingdom” and visibility into the card holder data.

Requirement 10 has its challenges. Some the challenges faced by organizations are the need for additional resources to review these logs on a daily, weekly, or monthly basis. Small groups may not have enough personnel or the time to investigate further.

Companies that require PCI Compliance face some familiar challenges within requirement 10:

1. New Tools - Investing in the new tools necessary to meet requirement number 10 has a cost and depending on the scale of the environment, this could really increase quickly.
2. More Tools - Proliferation of the tools the IT or security group will have to manage, keep updated, fine tune, investigate and learn to use.
3. Data - These new tools will be pulling logs into systems and this will increase the amount of data that will need to be managed. This can have costs quickly moving upward with new hardware and software that will need to be put in place.
4. Notifications - Many more alert emails or notifications can start to overwhelm a smaller group.

Compass IT Compliance is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.

These challenges are just some of the areas within the PCI DSS requirements that many of our clients face. Another area where our clients experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist, gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!